perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

Hey Roderick;

As an FYI the LHCOPN document was produced by external parties, but the 
suggestions are sound depending on the policy set forth by the operating 
institution.  Note the date is about 2 years ago, so some of the items they 
are working around could have been addressed in subsequent releases.  

Earlier this year we published some information on ways to allow the toolkit 
to work better with firewalls:

  http://psps.perfsonar.net/toolkit/firewalls.html

Coupled with this, the latest release has a stub iptables file that can be 
used to implement host based filtering if that is so desired.   

One thing that I think we discussed (not sure if it was implemented) was 
putting in some SSH protections like these: 
http://codeghar.wordpress.com/2010/04/25/secure-your-ssh/. Many people 
already implement the throttling suggestions, and that meets the checkbox for 
security on that service in many cases.  It may also make sense to disallow 
root logins, or empty passwords (once the machine is setup).  Those are a 
little harder for us to do by default, but certainly could work well.  

As a part of a broader campus/network security plan, its always a good idea 
to consider the use of systems that watch for strange behavior (tripwire, 
bro), and lots of sites do this already.  

Trying to integrate federated login techniques to the performance node has 
been shown to work, I know some locations have installed the kerberos from 
the CentoOS repos, and configured it as they would any other system.

Lastly, if sites are using a non-pemanent install (like a live CD), they 
often can get away with calling this an 'appliance', and thus a reboot can be 
used to clean out the system in the event that something bad does happen.

In general, our stance remains that to get accurate measurements of the 
network, the performance node should be free of infrastructure that will 
limit performance.  There is value in seeing 'what the users see' however, so 
users have to have their connectivity dragged through devices that limit 
performance, the performance node should do so as well.  

Hope this helps;

-jason

On Jun 27, 2013, at 7:53 AM, Roderick Mooi wrote:

> Hi everyone,
> 
> What advice/recommendations are available for securing perfSONAR servers 
> and/or the toolkit itself?
> 
> I've previously used this guide:
> https://twiki.cern.ch/twiki/pub/LHCOPN/PerfsonarPS/perfSONAR-PS_Security_Guidelines.pdf
>  
> 
> Are there any updates or other resources or recommendations particularly 
> for v3.3?
> 
> Thanks very much!
> 
> Regards,
> 
> Roderick
> 
> 
> -- 
> This message is subject to the CSIR's copyright terms and conditions, 
> e-mail legal notice, and implemented Open Document Format (ODF) standard. 
> The full disclaimer details can be found at 
> http://www.csir.co.za/disclaimer.html.
> 
> This message has been scanned for viruses and dangerous content by 
> MailScanner, 
> and is believed to be clean.
> 
> Please consider the environment before printing this email.